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— Summary of the Invention— ; 

Page 3, at line 9 and before the paragraph beginning "Other 
characteristics... insert the following heading at the left hand margin: 
— Brief Description of the Drawings— ; 

Page 3, at line 17, before the paragraph beginning "Fig. 1...", insert the 
following heading at the left-hand margin: 
- Description of the Preferred Embodiments —: 

Page 6, line 25, after "table", delete "7" and substitute -(7)~; 
C IN THE CLAIMS: 

^: Please cancel claims 1- 7 in their entirety and without prejudice and substitute 

M the following new claims: 

ins 

y ^ 1 —8. A high-performance specification resolution method for use in detecting 

s 

>{ 2 attacks against computer systems comprising: 

•LJi, 

f j 3 a) formulating audit conditions to be detected using non-limiting specification 

g 4 formulas expressing fraudulent entry or attack patterns or abnormal operations, to be 

5 verified by examining the records of a log file of the computer system; 

6 b) expanding said formulas into subformulas; 

7 c) scanning by an interpreter, and generating, for each expanded formula in 

8 each record, Horn clauses to resolve in order to detect whether or not the formula is 

9 valid in the record, the Horn clauses expressing the implications resolvent of the 

10 subformulas for each record scanned, in positive clauses, i.e. counting only a 

1 1 positive literal and in non-positive clauses, i.e. counting at least one negative literal, 

12 which negative literals form the negative part of the clause; 
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13 d) storing positive Hprn clauses in a stack of worked subformulas, and storing, 

14 in a table comprising a representation, implicating subformula(s) constituting the 

15 negative part of the clause and the link with the implicated subformula(s) constituting 

16 the positive part of the clause, and storing in a counter the number of formulas or 

17 subformulas present in the negative part of the clause for each implicated 

18 subformula; 

19 e) resolving the table based on each positive clause encountered, so as to 

20 generate either an output file or an action of the computer system; 

21 f) iterating steps b) through e) until the scanning of all the records in the log 

22 file is complete. 


1 9 A method according to claim 8, characterized in that a temporal logic is 

2 used for the formulation of the specification. 


1 10. A method according to claim 8, characterized in that the table is a 

2 matrix and is indexed in columns by subscripts of the formulas appearing in the 

3 negative part of the Horn clauses, and the lines are the Horn clauses exactly. 

1 1 1 . A method according to claim 8, characterized in that the table is 

2 preferably represented in the form of a sparse matrix, the columns being represented 

3 by means of chained lists and the implicit lines. 
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12. A method according to claim 8, characterized in that a step for 
optimizing the expansion of the formulas is obtained through a hash table to ensure 
that the same formula is not expanded more than once in each record. 

13. A method according to claim 9, characterized in that a step for 
optimizing the expansion of the formulas is obtained through a hash table to ensure 
that the same formula is not expanded more than once in each record. 

14. A method according to claim 8, characterized in that the log file is 
scanned only once from beginning to end. 

15. A computer system comprising storage means and means for 
executing programs for implementing a high performance resolution method for 
deleting attacks against the system wherein the method: 

a) formulates audit conditions to be detected using non-limiting specification 
formulas expressing fraudulent entry or attack patterns or abnormal operations, to be 
verified by examining the records of a log file of the computer system; 

b) expands said formulas into subformulas; 

c) scans by an interpreter, and generates, for each expanded formula in each 
record, Horn clauses to resolve in order to detect whether or not the formula is valid 
in the record, the Horn clauses expressing the implications resolvent of the 
subformulas for each record scanned, in positive clauses, i.e. counting only a 
positive literal and in non-positive clauses, i.e. counting at least one negative literal, 
which negative literals form the negative part of the clause; 
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14 d) stores positive Hqrn clauses in a stack of worked subformulas, and storing, 

15 in a table comprising a representation, implicating subformula(s) constituting the 

16 negative part of the clause and the link with the implicated subformula(s) constituting 

17 the positive part of the clause, and stores in a counter the number of formulas or 

18 subformulas present in the negative part of the clause for each implicated 

19 subformula; and 

20 e) resolves the table based on each positive clause encountered, so as to 

21 generate either an output file or an action of the computer system; 

O 22 - an adaptor for translating information from a log file formulated in the specific 

jjp 23 language of the machine into a language comprehensible to an interpreter; 
V 24 - the interpreter receiving the information from the adapter and receiving the 

2q 25 formulation of the specification in a temporal logic in a specification formula in order 

Q 26 to expand said formula and fill in the table and the stack of worked subformulas 

27 stored in a memory of the computer system and resulting from the scanning of the 

W 

5;f 28 computer systenrVs log file; 

29 - a clause processing algorithm executed by the computer system, for 

30 resolving the Horn clauses using the information from the table and the stack of 

31 worked subformulas, said clause processing algorithm generating an output file or 

32 generating an action. 

1 16. A computer system as defined in claim 15 wherein the temporal logic is 

2 used for formulation of the specification. 
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17. A computer system as defined in claim 1 5, wherein the table is a matrix 
and is indexed in columns by subscripts of the formulas appearing in the negative 
part of the Horn clauses, and the lines are the Horn clauses exactly. 

18. A computer system as defined in claim 1 5, wherein the table is 
preferably represented in the form of a sparse matrix, the columns being represented 
by means of chained lists and the implicit lines. 

19. A computer system as defined in claim 15 including a hash table to 
ensure that the same formula is not expanded more than once in each record. 

20. A computer system as defined in claim 16 including a hash table to 
ensure that the same formula is not expanded more than once in each record. 

21 . A computer system as defined in claim 15 including means for 
scanning the log file only once from beginning to end.— 
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